Security and Usability: Designing Secure Systems That People Can Use [Paperback]

Lorrie Faith Cranor (Author), Simson Garfinkel (Author)

Book Description

ISBN-10: 0596008279 | ISBN-13: 978-0596008277 | Publication Date: September 1, 2005 | Edition: 1

Human factors and usability issues have traditionally played a limited role in security research and secure systems development. Security experts have largely ignored usability issues--both because they often failed to recognize the importance of human factors and because they lacked the expertise to address them.

But there is a growing recognition that today's security problems can be solved only by addressing issues of usability and human factors. Increasingly, well-publicized security breaches are attributed to human errors that might have been prevented through more usable software. Indeed, the world's future cyber-security depends upon the deployment of security technology that can be broadly used by untrained computer users.

Still, many people believe there is an inherent tradeoff between computer security and usability. It's true that a computer without passwords is usable, but not very secure. A computer that makes you authenticate every five minutes with a password and a fresh drop of blood might be very secure, but nobody would use it. Clearly, people need computers, and if they can't use one that's secure, they'll use one that isn't. Unfortunately, unsecured systems aren't usable for long, either. They get hacked, compromised, and otherwise rendered useless.

There is increasing agreement that we need to design secure systems that people can actually use, but less agreement about how to reach this goal. Security & Usability is the first book-length work describing the current state of the art in this emerging field. Edited by security experts Dr. Lorrie Faith Cranor and Dr. Simson Garfinkel, and authored by cutting-edge security and human-computer interaction (HCI) researchers world-wide, this volume is expected to become both a classic reference and an inspiration for future research.

Security & Usability groups 34 essays into six parts:

• Realigning Usability and Security---with careful attention to user-centered design principles, security and usability can be synergistic.
• Authentication Mechanisms-- techniques for identifying and authenticating computer users.
• Secure Systems--how system software can deliver or destroy a secure user experience.
• Privacy and Anonymity Systems--methods for allowing people to control the release of personal information.
• Commercializing Usability: The Vendor Perspective--specific experiences of security and software vendors (e.g., IBM, Microsoft, Lotus, Firefox, and Zone Labs) in addressing usability.
• The Classics--groundbreaking papers that sparked the field of security and usability.

This book is expected to start an avalanche of discussion, new ideas, and further advances in this important field.

Editorial Reviews

Review

"It's good. Buy it for your team library." - Lindsay Marshall, news@UK, June 2006

About the Author

Dr. Lorrie Faith Cranor is an Associate Research Professor in the School of Computer Science at Carnegie Mellon University. She is a faculty member in the Institute for Software Research, International and in the Engineering and Public Policy department. She is director of the CMU Usable Privacy and Security Laboratory (CUPS).

Simson Garfinkel is a journalist, entrepreneur, and international authority on computer security. Garfinkel is chief technology officer at Sandstorm Enterprises, a Boston-based firm that develops state-of-the-art computer security tools.

Product Details

• Paperback: 744 pages
• Publisher: O'Reilly Media; 1 edition (September 1, 2005)
• Language: English
• ISBN-10: 0596008279
• ISBN-13: 978-0596008277
• Product Dimensions: 9.1 x 7 x 1.3 inches
• Shipping Weight: 2.3 pounds (View shipping rates and policies)
• Average Customer Review: 5.0 out of 5 stars  See all reviews (10 customer reviews)
• Amazon Best Sellers Rank: #612,047 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

9 of 9 people found the following review helpful:

5.0 out of 5 stars Great overview with surprising amount of detailed coverage, September 20, 2005

By 

Don R. Hanson II (Beaverton, OR USA) - See all my reviews
(REAL NAME)   

This review is from: Security and Usability: Designing Secure Systems That People Can Use (Paperback)

Security and Usability; pick one at the expense of the other is the story we've all heard time and again. More secure systems are harder to use; for example longer secure passwords are harder to remember than shorter, more easily guessed ones.

In the real world it has been recently noticed that when security "gets in the way"; it is often circumvented by the users. For example, systems that "upgrade security" by requiring lengthy passwords often result in sticky notes appearing as people begin to write their passwords down. The book explores a number of topics from the perspective that improved usability can enhance the real world security of a system.

The chapters are written by different authors and grouped around related topics. It's hard to pull off these kinds of books well, but I believe this one succeeds. I put the chapters into three categories; talking points, patterns I can use, and presentations.

Talking point chapters help me explain to others how improving usability can improve security; examples include "Usable Security" and "Design for Usability". Patterns I can use chapters present a framework for evaluating different approaches to common security problems; such as evaluating authentication mechanisms. Presentation chapters discuss a particular topic presenting pros and cons, such as "Identifying Users from Their Type Patterns" or "Informed Consent by Design".

I enjoyed reading this book. If you're considering buying or designing a secure system I recommend checking it out.

8 of 8 people found the following review helpful:

5.0 out of 5 stars Security Should *NOT* Be About Inconvenience, October 26, 2005

By 

Christopher Byrne "The Business Controls Caddy" (Atlanta, GA USA) - See all my reviews
(REAL NAME)   

This review is from: Security and Usability: Designing Secure Systems That People Can Use (Paperback)

"Security is about inconvenience". This what the national Lotus Notes manager for a federal agency said to me last January at Lotusphere 2005. We were discussing their policy to block all incoming zip files at the gateway without telling users what formats would be acceptable as mail attachments. I disagreed with him then and I find that I am not alone. In "Security and Usability: Designing Secure Systems That People Can Use" (Lorrie Faith Cranor and Simon Garfinkel (Ed), 2005, 716 pages, ISBN 0596008279), O'Reilly has assembled a comprehensive and far-reaching set of 34 essays that challenges commonly held beliefs of the information security community and provides a solid basis to open new dialogues about the trade-offs between security and usability of systems. Without a doubt, it is now on my recommendation list of "must read" books for the information security, application development, system administration, and IT audit communities.

The book is broken down into six sections. In the first, "Realigning Usability and Security", the reader is presented with five essays which hammer home the point that if security of applications and systems are not made user friendly, the users can and will find ways to bypass them. This may range from doing whatever they can to bypass the controls put in place to not using the systems at all. The next section, "Authentication Mechanisms", covers topics that include the evaluation of authentication mechanisms, the problems of passwords, challenge questions, biometrics and more.

The third section, "Secure Systems", covers specific issues associated wit the use of PKI, the sanitizing of equipment being disposed, desktop security, and security administration tools/practices. From here, the fourth section, "Privacy and Anonymity Systems", deals with the challenging topic of privacy. The essays in this section focus on human-computer interaction, policies, analysis and more.

The fifth section, "Commercializing Usability: The Vendor Perspective", sealed the deal from me. Why? Because it allowed the book to grow beyond a purely academic discussion to a discussion of real world challenges faced and addressed by vendors. The vendors selected - ZoneAlarm, Firefox, Microsoft, IBM/Lotus, and the now 'defunct' Groove Networks - are important because each vendor addresses important issues in strong security and IT governance as collaboration becomes more important.

The final section, "The Classics", provides 3 essays focusing on users not being the enemy, a study of KaZaA, and why people cannot encrypt.

Who Should Read This Book

The discussions presented in this book need to be discussed, even debated, if advances in the field are going to occur. And this debate should not be limited to the IT security community. This is because security is everyone's responsibility. As I said at the beginning of this review, I consider this book to be a "must read" for the information security, application development, system administration, and IT audit communities.

The Scorecard

Eagle on a 600 yard Par 5 playing into a stiff wind

8 of 8 people found the following review helpful:

5.0 out of 5 stars Users Are Not the Enemy, October 8, 2005

By 

Brett Merkey (Palm Harbor, FL United States) - See all my reviews
(REAL NAME)   

This review is from: Security and Usability: Designing Secure Systems That People Can Use (Paperback)

I make Web applications for a living. Our team strives to make them usable. I have always preferred to leave security to the security professional. Maybe that's not working. I suspect there are a lot of other GUI designers, usability folk, project managers, business analysts, and product managers out there arriving at the same conclusion.

Have you felt the frustration of working through client interviews, screen reviews, team discussions and iterations of tests to make the most usable possible application -- only to learn that users stumble time and again even getting to your product? User authentication and authorization complaints rank right at the top in most help staff logs. This book may provide some alternatives to passive acceptance of things as they are.

It is hard to summarize a 750 page book with over 60 contributors. There is a lot here for a broad range of interests. Yes, some chapters have a load of mind-numbing jargon, but as a whole, this material is very approachable by the professions I mentioned above. Many of the contributors are from the ranks of the same professions. Stats are mixed with anecdotes in an interesting way.

Bruce Tognazzini's "Design for Usability" was a personal favorite -- and so was the chapter on designing the interface to ZoneAlarm, a product familiar to most.

If there is one theme that unites all the contributions, it is expressed in the title of Ch. 32: "Users Are Not the Enemy." Amen to that.